Critical Weaver e-cology RCE Vulnerability Under Active Attack
Key Takeaways A critical remote code execution (RCE) vulnerability, CVE-2026-22679, in Weaver E-cology 10.0 is under active exploitation. The flaw, rated 9.8 CVSS, affects builds released before...
Key Takeaways
- A critical remote code execution (RCE) vulnerability, CVE-2026-22679, in Weaver E-cology 10.0 is under active exploitation.
- The flaw, rated 9.8 CVSS, affects builds released before March 12, 2026, stemming from an unauthenticated debug endpoint.
- Exploitation was detected just five days after a vendor patch became available, highlighting rapid weaponization by threat actors.
- Organizations must immediately update Weaver E-cology systems to build 20260312 or newer and enhance endpoint monitoring.
A severe, unauthenticated remote code execution (RCE) vulnerability within the Weaver E-cology platform is actively being exploited in ongoing attacks. This critical flaw, identified as CVE-2026-22679, holds a maximum CVSS score of 9.8, indicating its extreme severity. It impacts Weaver E-cology 10.0 systems with builds predating March 12, 2026.
Table Of Content
The core of the security weakness lies in an exposed debug endpoint that permits attackers to execute arbitrary system commands without requiring any form of authentication. By crafting and sending specific POST requests, malicious input can be directly passed to the underlying operating system.
Evidence of exploitation first surfaced on March 17, 2026, a mere five days after Weaver released an official patch. This swift weaponization underscores the agility of threat actors in leveraging newly disclosed vulnerabilities to compromise enterprise environments.
Weaver E-cology RCE Under Active Attack
The Vega Threat Research team has meticulously documented a series of attacks that commenced shortly after the vendor issued a fix. Attackers initiated their campaigns by confirming their RCE capabilities through simple network ping callbacks. They utilized the Java Virtual Machine bundled with Tomcat to issue ping commands directed at an infrastructure linked to the Goby vulnerability-scanning framework. This method allowed them to easily verify successful access by looking for unique marker tokens within the HTTP response body.
Following initial access confirmation, the operators aggressively attempted to deploy various malicious payloads over a three-day period. They endeavored to drop multiple executable files and a Windows Installer package, specifically named to mimic the targeted Weaver software. Fortunately, robust endpoint detection and response (EDR) systems successfully quarantined these attempts, effectively preventing the deployment of the malicious files onto the compromised systems.
After their initial payloads were blocked by security tools, the attackers pivoted to more advanced evasion techniques. They copied the legitimate Windows PowerShell executable and renamed it to a plain-text file to circumvent standard process-name-based detection. Through this renamed binary, they attempted to fetch and execute fileless PowerShell scripts directly in memory. However, these actions were also successfully intercepted by the target’s defenses.
Throughout the entire attack sequence, the threat actors consistently executed system discovery commands such as whoami and tasklist. Because the vulnerable debug endpoint echoes the output of executed commands directly within the HTTP response, the attackers did not need to establish a persistent shell on the victim host. This strict request-and-response behavior enabled them to conduct discovery and payload delivery concurrently and with minimal effort.
What You Should Do
- Patch Immediately: Organizations running Weaver E-cology must urgently update their systems to build 20260312 or later. This update completely removes the vulnerable debug endpoint.
- Monitor for Anomalous Processes: Actively monitor for unusual processes spawned by the Java Virtual Machine (
java.exe), particularly those involving network utilities (e.g.,ping.exe) or command-line interpreters (e.g.,cmd.exe,powershell.exe). The Vega Threat Research team provides detailed insights into these indicators. - Strengthen Endpoint Defenses: Ensure robust endpoint detection and response (EDR) solutions are fully operational and configured to block suspicious activities and known indicators of compromise.
- Review Network Traffic: Routinely audit network traffic to affected API paths within your Weaver E-cology deployment for any unauthorized or suspicious requests.
- Implement IOCs: Integrate the provided Indicators of Compromise (IOCs) into your security information and event management (SIEM) systems, intrusion detection systems (IDS), and other threat intelligence platforms for proactive detection.
Indicators of Compromise (IOCs)
Network Indicators
| IP Address | Purpose | Associated URLs / Activity |
|---|---|---|
| 152.32.173[.]138 | Callback verification (Goby framework) | http://152.32.173[.]138/U<16hex>.<8hex> |
| 205.209.116[.]54 | Initial payload hosting | /vsgbt.exe, /hjchhb.exe |
| 161.132.49[.]114 | Base64 stager hosting | /config.js |
| 141.11.89[.]42 | MSI payload delivery | /fanwei0324.msi |
| 132.243.172[.]2 | Fileless PowerShell scripts | /config/xx.ps1, /w-2026/x.ps1 |
File Hash
| File Name | SHA256 Hash |
|---|---|
| fanwei0324[.]msi | 147ac3f24b2b63544d65070007888195a98d30e380f2d480edffb3f07a78377f |
Filenames / Artifacts
| Filename | Description |
|---|---|
| vsgbt[.]exe | Initial stager |
| hjchhb[.]exe | Initial stager |
| nvm[.]exe | Fake Node Version Manager binary |
| fanwei0324[.]msi | Malicious MSI installer |
| 2[.]txt | Renamed PowerShell binary |
| config[.]js | Base64 stager |
| xx[.]ps1 / x[.]ps1 | Fileless PowerShell payloads |
Host Indicators
| Indicator Type | Description |
|---|---|
| Suspicious Processes | java[.]exe spawning cmd[.]exe, powershell[.]exe, ping[.]exe |
| Exploitation Sign | Unauthorized command execution via debug endpoint |
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.